💾
Playtronics.dev
  • Landing Page
  • Evoko Overview Unquoted Service Path Vulnerability
Powered by GitBook
On this page
  • Overview
  • Technical Description
  • Impact
  • Affected Versions
  • Remediation
  • Vendor Response

Evoko Overview Unquoted Service Path Vulnerability

As of writing affects version 2.0.4 & 2.0.3

PreviousLanding Page

Last updated 10 months ago

Overview

Evoko Overview, a display system used with Evoko Home meeting room solutions, contains a vulnerability in its service configuration. The Evoko Overview service is installed with an unquoted ImagePath in the Windows Registry and runs with SYSTEM privileges. This combination of factors allows a potential attacker to exploit a common weakness (CWE-428) by introducing a malicious executable into the system PATH. NOTE: An attacker must have the ability to write to either of the following directories in order to abuse this vulnerability:

C:\Program Files (x86)
C:\Program Files (x86)\Evoko\Overview Screen

Technical Description

The vulnerable registry entry typically appears by default as follows:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\evoko-overview\ImagePath
C:\Program Files (x86)\Evoko\Overview Screen\bin\nssm.exe

The lack of quotation marks around the file path means Windows will search the entire system PATH for the executable "nssm.exe". If an attacker places a malicious file with this name earlier in the PATH, the Evoko Overview service will unknowingly execute it with the elevated privileges of the SYSTEM account. This could lead to complete compromise of the affected system.

Impact

Successful exploitation of this vulnerability can have severe consequences:

  • Privilege Escalation: An attacker can gain SYSTEM-level control, the highest possible privilege level on a Windows system.

  • System Compromise: The attacker can install malware, exfiltrate sensitive data, or perform other malicious activities.

  • Lateral Movement: The compromised system can be used as a foothold to attack other systems on the network.

Affected Versions

As of writing this vulnerability has been discovered in version 2.0.4 & 2.0.3

Remediation

To mitigate this vulnerability, administrators should modify the registry entry to include quotation marks around the ImagePath:

"C:\Program Files (x86)\Evoko\Overview Screen\bin\nssm.exe"

This ensures that Windows only executes the legitimate "nssm.exe" file located in the specified directory.

Vendor Response

Biamp, the vendor of Evoko products, has acknowledged this vulnerability and committed to releasing a patch in a future version of Evoko Overview. However, a specific timeline for the patch has not been provided.

Default registry entry for the evoko-overview service.